Iranian Group OilRig is back and delivers digitally signed malware

ClearSky Security discovered a new campaign conducted by the Iranian OilRig APT leveraging digitally signed malware and fake University of Oxford domains.

The OilRig hacker group is an Iran-linked APT that has been around since at least 2015.

Researchers at Palo Alto Networks have been monitoring the group for some time and have reported attacks launched against government agencies, financial institutions and technology companies in Saudi Arabia, Israel, the United Arab Emirates, Lebanon, Kuwait and Qatar, the United States, and Turkey.

The name OilRig was used by Palo Alto Networks to identify the campaign of this specific threat actor that leveraged on weaponized Microsoft Excel spreadsheets tracked as “Clayslide” and a backdoor called “Helminth.”

Now we have a new update on the activity of the OilRig APT that in a recent string of attacks targeted several Israeli organizations, including IT vendors, the national postal service, and financial institutions.

Security experts from ClearSky discovered that the Iranian hackers set up a fake Juniper Networks VPN portal and used compromised email accounts from IT vendors to lure victims to it.

The hackers used the email accounts of the IT vendors to send messages containing links to the fake VPN portal to the victims.

“The email was sent from a compromised account of an IT vendor. Similar emails were sent from other IT vendors in the same time period, suggesting the attackers had a foothold within their networks, or at least could get access to specific computers or email accounts.” reads the analysis from ClearSky.

When the victims land on the rogue Juniper website, they were instructed to install a VPN client, in this case, attackers used a legitimate software from Juniper Networks packaged with the Helminth malware.

Hackers signed the malicious VPN client with a valid code-signing certificate issued by Symantec to a US-based software company called AI Squared. The researchers also discovered a second sample of the Helminth malware signed with another certificate.

This suggest that the attackers had got a hold of an AI Squared signing key, potentially after compromising their network. Alternatively, the attackers might have got Symantec to issue them a certificate under AI Squared’s name.” states the analysis.

Researchers also discovered other attacks in which the OilRig group used four domain names apparently belonging to Oxford University (including oxford-symposia[.]com, oxford-careers[.]com, oxford[.]in and oxford-employee[.]com).

In one case the hackers set up a fake Oxford conference registration website, when the victims visited it they were instructed to install a tool allegedly needed for pre-registration that hides a malware. Also in this case, the tool is signed with an AI Squared certificate.

In December 2015, researchers at Symantec detailed the activities of two Iran-based hacker groups, dubbed Cadelle and Chafer, that used the backdoor.Cadelspy and backdoor.Remexi to spy on Iranian individuals and Middle Eastern organizations.

The IP address 83.142.230.138 mentioned in the Symantec report linked to the C&C infrastructure used by the Chafer group is the same used by the OilRig.

“Backdoor.Remexi, one of the malware in use by Chafer, had the following command and control host:

87pqxz159.dockerjsbin[.]com

Interestingly, IP address 83.142.230.138, which serve as a command and control address for an OilRig related sample (3a5fcba80c1fd685c4b5085d9d474118), was pointed to by 87pqxz159.dockerjsbin[.]com as well.”

This circumstance suggests that the Chafer and Oilrig are the same Iranian entity.

Further technical details and Indicators of Compromise are available in the ClearSky report.

Share On

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.